Recent Blog Posts

As a part of helping untangle compliance initiatives, a popular request on the federal side is FISMA (Federal Information Systems Management Act) Compliance. In this post, I'll outline what FISMA compliance is, we'll walk through FISMA bit-by-bit, and we'll talk about where SolarWinds products can help.

FIS-WHAT? What is FISMA? And how does NIST play into it? And FIPS?

What it actually means to take on what's commonly referred to as "FISMA Compliance" is described in several NIST (National Institute of Standards and Technology) publications. It's pretty impressive the amount of NIST publications out there, but there's really only a few we're interested in. A couple of these are FIPS (Federal Information Processing Standard) publications - usually when we think of FIPS we think of encryption, but here we're mostly focused on risk analysis.

NIST 800-53: This is the main "FISMA Compliance" publication. This describes what controls need to be applied to different systems.

FIPS 200: These two documents describe how to perform risk analysis and categorization for systems on the network. You'll need this categorization when you actually go to implement 800-53.

Here's a great summary, though wordy, of how all of that fits together:

FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory federal standard developed by NIST in response to FISMA. To comply with the federal standard, organizations first determine the security category of their information system in accordance with FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, derive the information system impact level from the security category in accordance with FIPS 200, and then apply the appropriately tailored set of baseline security controls in NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations

Okay, okay, how about the super TL;DR version? In order to implement FIPS 200 with NIST 800-53, you have to first do the risk categorization in FIPS 199. Whew!

Navigating and Implementing NIST 800-53 - High Level

We'll leave the whole exercise of assigning risk up to you, since it'll be different for each environment. Once you've done that, as you walk through the 800-53 requirements, you'll see different controls that need to be applied at different levels. Generally, you'll have to comply with the "document" and "policy" controls across all risk levels, but some of the finer controls may not need to be applied to all risk levels.

Chapter 2 of NIST 800-53 (top of page 9) has a great breakdown of the steps that need to be applied. Of interest to us when it comes to where SolarWinds products can help are:

Lastly, several products, including LEM, Network Performance Monitor (NPM), NCM, and others, can be used to make sure that controls are working as expected, bypasses aren't attempted, and produce reports that can be used to prove it.

I'll walk through each control and identify relevant products for each category as I go, so you don't have to memorize them all just yet.

Key Out of the Box Content for NCM and LEM

Before we dig into implementing key controls (Step 3), as a part of assessing and monitoring controls (Step 4 & Step 6), there is out of the box content included in NCM and LEM that is designed to help:

For LEM:

There are hundreds of out of the box reports, many of which are categorized for FISMA specifically. These reports really help address the Assess/Monitor by helping look for exceptions to controls, unexpected changes or activity, or attempts to bypass controls. In the LEM Reports Console, navigate to Configure > Manage Categories, select FISMA, then click OK. To see the list, go to View > Industry Reports.

In addition, LEM includes dozens of correlation rules categorized for different compliance initiatives that can help - and be quickly enabled. From the LEM Console, navigate to Build > Rules, and either launch the Add Rule Wizard or navigate to the categories on the bottom left. I'd recommend starting with General Best Practice, but as we go through the actual controls you should find relevant correlation rules where real-time notifications are useful.

NIST - Access Lists: identify key access control lists that should be present

In the NCM web console, under CONFIGS, then Compliance, you should see them listed under the NIST category.

Control-by-Control Details

You might want to get a cup of coffee (or tea) while you read through this, as there's a lot here. The entirety of Appendix F of 800-53 actually describes the controls and implementing them in detail. I'm going to skip over a lot of them since they don't apply to implementing SolarWinds products, but I'll include a description for each and more details where they are especially relevant. Got your warm beverage? Let's get going.

AC-X: Access Control

General Notes: In general, there's a few areas our products can help, but a lot of these controls will be implemented at the policy or device level. For some of these, NCM can help you distribute configuration or identify violations where it comes to network devices; LEM can help audit and monitor for potential changes.

Of interest:

AC-2: Account Management:

You could use LEM to identify accounts that are created outside of these controls - e.g. service accounts being added to unexpected groups - either in real-time or via reports.

You could use LEM to audit when passwords were changed on accounts, when users were added to groups, etc - either in real-time or via reports.

LEM can help satisfy AU-2(2): Automated Auditing for creation, modification, enabling, disabling, and removal, either in real-time or via reports.

LEM can assist with AU2(12): Atypical Usage by looking for logon activity or patterns that are outside your environment norms, either in real-time or via reports.

AC-4: Information Flow Enforcement

LEM can help with AC-4(17) - ensure local authentication is not used by auditing for local authentication activity on systems (logons not to the domain), either in real-time or via reports.

AC-6: Least Privilege

LEM can help audit where things deviate from least privilege - e.g. when an unexpected user accesses certain files, systems, or commands, either in real-time or via reports.

NCM can help audit device policies for existing privileged users as things change, and roll out configuration changes if necessary.

AC-7: Unsuccessful Logon Attempts

Usually this is implemented in IAM/Domain/system policy, but you can use LEM to confirm this policy is being enforced and see how frequently it is used, generally via reports/historical analysis.

AC-8: System Use Notification

Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.

AC-9: Previous Logon (Access) Notification

Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.

AC-10: Concurrent Session Control

Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.

AC-11: Session Lock

Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.

AC-12: Session Termination

Where required across network devices, NCM can help distribute config or identify configs that don't match expected settings.

AC-16: Security Attributes

Depending on how controls are implemented, it's possible that LEM can help identify when things deviate from expected policy, either in real-time or via reports.

AC-17: Remote Access

LEM can help audit/monitor remote access, but not implement controls. LEM can also help audit where remote access is being used outside of expected controls (e.g. controls are being bypassed, or attempts to bypass are being made). As usual, this can be done either in real-time or via reports.

Explicitly, LEM can help with AC-17(1) - automated monitoring / control

NCM can help audit where and how remote access is being used across network devices, identify violations, and potentially roll out policy changes if necessary.

AC-19: Access Control for Mobile Devices

You may be able to use User Device Tracker (UDT) to detect usage of devices that are in those classified networks/facilities, and possibly also use LEM to identify authentication from unexpected users or devices.

AC-20: Use of External Information Systems

LEM can help audit AC-20(2) and AC-20(3) - use of portable storage devices and personal devices with USB-Defender when policy is bypassed/ignored.

AC-23: Data Mining Protection

You may be able to use LEM with SQL Auditor or Database Performance Analyzer (DPA) to identify when large queries or unexpected activity is being done to a database.

AT-X: Awareness Training

AU-X: Audit and Accountability

General Notes: A lot of this set of controls is about what data you might feed into a system like LEM and how that data needs to be preserved. LEM can help satisfy some controls directly. Some of the comments below are about how LEM treats relevant data within the controls, should be implemented to satisfy the controls, or satisfies these requirements specifically.

A really good note from AU-6(10) to keep in mind: remember that you can adjust audit levels depending on organizational needs and risks changing! You don't have to just enable the firehose.

Of Interest:

AU-2: Audit Events

LEM helps serve this, but this control is about what you feed into LEM.

AU-3: Content of Audit Records

Again, LEM stores this data, but generally this is up to logging sources. Where we normalize data, we preserve these fields.

AU-3(2) - Centralized Management of Planned Audit Record Content - about automation. At a low level, you would serve with tools like NCM (for devices), or Group Policy, but LEM can play a factor in automating configuration to ensure the right data is captured from similar systems with connector profiles.

AU-4: Audit Storage Capacity

Depending on your storage requirements you would need to ensure LEM has enough storage capacity to meet your needs, and can implement archiving as well.

AU-5: Audit Processing Failures

LEM can generate events when agents go offline, when there's an issue storing or processing data, when running out of disk space, and on behalf of other systems when audit logs are cleared, when there are hardware issues we can detect via log data

AU-6: Audit Review, Analysis, and Reporting

LEM satisfies this requirement, up to you to decide which systems need to be audited and for what, and ensure the required data is logged for collection

Correlation with some data sources (e.g. "non-technical sources" in AU-6(9)) may have to be a manual process done as a part of investigation.

AU-7: Audit Reduction and Report Generation

LEM satisfies this requirement

AU-8: Time Stamps

LEM satisfies this requirement (note - we will use timestamps provided by log sources as well, but may only be down to the second)

With AU-14(3), you may be able to satisfy some requirements with DameWare.

AU-15: Alternate Audit Capability

You may want to set up backup logging for devices that syslog, or architect LEM in such a way that you can go to point systems or syslog servers or servers directly to ensure (prove) you can still access data.

You may be able to use LEM to audit when changes are made depending on components and policies actually changed. NCM for devices and things like dual authorization.

CM-6: Configuration Settings

CM-6(1) - automated central management - use NCM for network devices.

CM-6(2) - NCM can help for devices, and LEM can potentially alert on relevant events in real-time.

CM-7: Least Functionality

LEM can help audit when unauthorized software and programs are being executed.

CM-8: Information System Component Inventory

Patch Manager can help audit software and system status.

CM-10: Software Usage Restrictions

You can use LEM to audit when P2P and other software is used in general, and Patch Manager to audit what's installed on a system, but it may not ultimately be perfect.

CM-11: User Installed Software

You can use LEM to audit when much software is being installed, and Patch Manager to know what's on a system.

CP-X: Contingency Planning

IA-X: Identification and Authentication

IR-X: Incident Response

General Notes: For the most part, LEM can help when it comes to incident generation and investigation, and also leveraging active response can provide you in-the-moment capabilities to deal with incidents as they occur.

Of Interest:

IR-4: Incident Handling

LEM can support this - including IR-4(4) information correlation, IR-4(5) automatic disabling of information system, and IR-4(9) dynamic response capability.

IR-5: Incident Monitoring

LEM may generate incidents from correlated activity, and this information can be tracked and stored (reports produced, alerts sent, etc).

IR-6: Incident Reporting

LEM can help support IR-6(1) - automated reporting to report correlated incidents detected from within LEM. (Where other SW products are used to detect and generate incidents, this is also generally true of them.)

MA-X: System Maintenance

General Notes: NCM is a key player here to help with controlling and managing approvals where it comes to network devices. LEM can help alert when stuff just doesn't seem according to expected maintenance policies.

Of Interest:

MA-2: Controlled Maintenance

NCM can help with MA-2(2) automated maintenance for network devices, and LEM can help audit when maintenance is taking place outside of expected maintenance windows.

MA-4: Nonlocal Maintenance

LEM can help audit MA-4(1) - auditing and review of nonlocal maintenance.

NCM can help with MA-4(5) - approvals and notifications - when it comes to network devices.

MP-X: Media Protection

General Notes: Most of this isn't relevant when it comes to SolarWinds products, but there's one area when it comes to removable devices where LEM's USB-Defender can help.

Of Interest:

MP-2: Media Access

LEM's USB-Defender can help with the USB removable media component of this.

PE-X: Physical & Environmental Protection

PL-X: Security Planning

General Notes: Several of the mentioned controls are those which may be supported by LEM, which can be used to centrally manage auditing and monitoring, especially within PL-9. Also interesting when it comes to PL-8 is mention of defense-in-depth techniques.

PS-X: Personnel Security

General Notes: A lot of this is external and policy-related, but think about using LEM to ensure what should happen did (i.e. Trust, But Verify).

Of Interest:

PS-4: Personnel Termination

May use LEM to audit usage of credentials and ensure attempts to use them do not continue after users are terminated.

PS-7: Third Party Personnel Security

May use LEM to audit usage of third party credentials and ensure attempts to use them do not continue after users are terminated

RA-X: Risk Assessment

General Notes: There's a lot of policy and procedure here, and really only one area where LEM and Patch Manager especially can help.

Of Interest:

RA-5: Vulnerability Scanning

Can use Patch Manager to assess vulnerable systems by missing patches

RA-5(1) Update Tool Capability and RA-5(2) Update by Frequency/Prior to New Scan/When Identified - Patch Manager is automatically updated with new patches

RA-5(8) - review historic audit logs - Patch Manager will include audit activity of what is being patched and tracked

Also, you can use LEM with a vulnerability scanner to support RA-5(6) and RA-5(8) as well, along with RA-5(10) correlate scanning information.

SA-X: System & Services Acquisition

General Notes: There's not a lot that applies here to us, but it's worth mentioning that SA-4(8) speaks to ensuring new systems/apps include activity that can be monitored as part of continuous monitoring planning. Think about how you're going to monitor systems as you implement them, rather than after the fact.

SC-X: System & Communications Protection

General Notes: SC is a pretty fascinating set of controls, with everything from cryptography, to honeypots, to detonation chambers. There's a few places I made notes where SolarWinds products are relevant.

You could also use NPM/NTA where traffic comes into play to potentially detect unexpected traffic patterns or performance issues that indicate security issues

SI-7: Software, firmware, and information integrity

Can use LEM to detect some unexpected changes, e.g. windows does a system file check initially which can create events, and can also use LEM's FIM to detect critical system changes (files, registry keys).

LEM would also support SI-7(5) automated response, SI-7(7) integration of detection and response, and SI-7(8) auditing capability for significant events

SI-15: Information Output Filtering

You would want to integrate these into LEM, and consider something like LEM's SQL Auditor to detect failures when it comes to databases.

Double whew! I bet your hot beverage cup is empty at this point, perhaps I should have warned you to use the large one.

Got FISMA?

Hopefully at this point we've given you a lot more info on how we can help you get moving with FISMA compliance. If you've got questions, feel free to post them and we'll update the post as things change or more details are necessary.

Now that Virtualization Manager (VMAN) 6.3 includes new management actions, alert remediation, and more, we’ve moved full steam ahead on the next release. We are continuing the evolution into a complete monitoring and management tool for virtualization environment. Here are the highlights of what we have we are currently working on:

Disclaimer: Comments given in this forum should not be interpreted as a commitment that SolarWinds will deliver any specific feature in any particular time frame. All discussions of future plans or product roadmaps are base on the product teams intentions, but those plans can change at any time.

Over the last few months, the Log & Event Manager (LEM) team has been working hard on a not so short list of features. I'm excited to announce that a major feature of the upcoming release of LEM 6.2 will be something that you all have asked for time and again: Threat Intelligence Feed integration. And so, I decided to take a moment to show off a bit of what the feature will look like and provide a chance to test the new functionality.

So before I get started, feel free to click below to be included in the LEM 6.2 beta program to test out new features such as the Threat Intelligence Feed and more.

What's in the Threat Intelligence Feed for me?

The concept of Threat Intelligence is one that has been covered in the world of security news for some time now. Problem is that, generally speaking, the term opens itself to a broad range of implementations and thus can mean something different to any vendor. So why should you care about the feature as it applies to SolarWinds? LEM 6.2's Threat Intelligence Feed will allow your organization to be prepared to recognize and handle already known and proven threats. With LEM analyzing your environment for activity against a list of known malicious threats, you will be able to easily incorporate the shared knowledge of top, reputable threat lists into your own workflows to prevent yourself from the risk these threats pose. Since that is a lot of words, let's jump into some screenshots that will help to better clarify what the new feature brings.

From Reactive to Proactive

LEM's new Threat Intelligence Feed is what allows your organization to move from reactive detection, looking around your environment as best you can hoping to surface suspicious activity, to the world of proactive detection - creating workflows that will ensure you know right away when known bad actors have made the way to your own environment.

We've all been there before - pulling down a list of threat indicators and manually searching for traces of them throughout our environment. Well with the Threat Intelligence Feed, that won't be necessary because the part that we know our customers will delight in most is the ease of implementation. All you have to do is check a box in your LEM console's Appliances Properties screen and you've enabled automatic coverage of some of the top threat lists available today.

Search and Filters and Rules - Oh my!

Once enabled, LEM will automatically begin detecting threats in your environment. And if it finds something, it's readily available to you throughout LEM. The first place you'll be able to find it is through an nDepth search (see below - the highlighted event has been flagged by LEM as a known threat).

Of course we know that search isn't the ideal way to consume such critical security information, so of course we will include out-of-the-box functionality that will help you get the most value out of this feature. This includes pre-built Filters, such as the one for All Threat Events seen in the screenshot below.

And, finally, who would we be if we didn't provide out-of-the-box correlation rules, allowing you to take action and alert whenever a threat event is found in your environment (just in case you don't spend your whole day in the LEM console - which is how I spend mine). See the image below for a rule to take action on a potential threat flagged by the Threat Intelligence Feed.

In summary

While there's more in store for the release of LEM 6.2, the Threat Intelligence Feed is a feature we are excited about and hope that you are excited about too. As such, we want to get this into your hands ASAP so we can get your thoughts on it while we still have time to make fixes and improvements.

So if you're a current LEM customer interested in testing out LEM 6.2 and getting your hands on new features such as the Threat Intelligence Feed, sign up for the beta here.

Since the release on NPM 11.5 we've been hard at working building the next round of exciting functionality and improvements in existing functionality. I'm excited to share the following list of items we're working on:

Updated UI Look and Feel - The UI is receiving some love this release, spanning across NPM, SAM, VMAN, and the other Orion based products.

Disclaimer: Comments given in this forum should not be interpreted as a commitment that SolarWinds will deliver any specific feature in any particular time frame. All discussions of future plans or product roadmaps are base on the product teams intentions, but those plans can change at any time.

I’ve got a question for you: "If Orion were a car, what kind of car would it be?"

We recently asked customers this question during feedback sessions. The responses were quite consistent, and very telling. One user said:

“A Ram 1500 work truck; it’s got lots of compartments for tools but sometimes I just can’t find that wrench I need even though I know it’s in there somewhere! It’s not as luxurious or attractive as some of its competitors”

Agreed - Orion certainly is a workhorse! In addition to comments about the attractiveness of the design, there is a deeper theme in this quote that many other users echoed. We can do better in terms of findability and usability. To address these concerns, we are working on a series of user experience (UX) improvements that we plan to release in addition to our normal features and functionality.

Catching up with the times

As a first step, we've been working to modernize and refresh the UI. While these changes may appear to be a basic facelift, our primary goal is to set the stage for the future.

We focused on a few key areas that we've heard loud and clear from you:

Minimize space used by the header and make more room for data. The current header takes up a lot of space, the tabs can be difficult to navigate (try hovering over a tab and then clicking on the last item in the menu bar), and that big yellow notification banner? No, thank you. The content on the page should be front-and-center.

Eliminate visual noise to help you focus on what is important. The current visual design uses a mixture of colors, styles and iconography which are pretty on their own, but make it hard to parse the UI when they are shown all together. Taking a step back, the UI should highlight status, exceeded thresholds and alerts. The big red things should draw your attention.

Simplify, but support density of information. There is a delicate balance between creating a roomy, clean visual design and showing data in proximity with other necessary pieces of information. Our goal is to stop the "pogo stick" effect, which requires you to jump around the page to find what you need. We haven't fully addressed this issue with the UI refresh, but we have taken baby steps.

You tell us, "If this version of Orion was a car, what kind of car would it be?"

Rome Wasn’t Built in a Day!

We’re putting the final touches on the modern UI, and now we’re kicking off deeper UX improvements. Joel Dolisy, our CTO, recently referenced these efforts during the thwackCamp keynote address (1min 26sec).

Here is a sneak-peek at some the ideas we’re investigating:

Re-building the front-end using browser UI frameworks and HTML5 - AngularJS, CSS3, and some cool visualization engines for those of your who really want to geek out. Here’s looking at you, wanine39!

Pulling data from multiple sources to create powerful visualizations. For example, stacking performance metrics on a single timeline for easy correlation (see a conceptual design below).

Improving user interactions to keep up with excellent browser applications - Google Maps, Photos, etc. More exciting interactions should take our products beyond useful, and in to the realm of delightful.

Become an active partner in UI and UX design

Input from you, our users, has helped to shape the direction we’ve taken. Keep the feedback coming to ensure that we stay on track! There are a couple ways to stay involved:

Get a sneak peak and share feedback on the UI refresh through the SAM 6.3 beta

Give us early feedback on ideas, designs and builds by signing up to participate in walkthroughs and feedback sessions with our research team (Hi Kellie!):

SolarWinds Time Machine

And now, for some fun, here's a brief history of the Orion UI! Which is the earliest version that you remember?

Disclaimer: Comments given in this forum should not be interpreted as a commitment that SolarWinds will deliver any specific feature in any particular time frame. All discussions of future plans or product roadmaps are base on the product teams intentions, but those plans can change at any time.

It's been a while since we talked SolarWinds Patch Manager and patching in general here on the Product Blog, but with VMWorld 2015 right around the corner all things virtual are on our minds. Here's a few quick considerations to make when thinking about patching and maintaining virtual systems.

Is patching virtual (guest) systems really different? Yes, and no.

At the most fundamental level, patching virtual guest systems isn't really different than patching physical systems. You back the system up (hopefully), you install patches (which you tested first, right?), and if necessary, finish with a reboot. Seems simple enough, but there's points along the way where we can really take advantage of virtual systems - and virtual systems can help back us up when we're being lazy (or hasty).

Backing up the system: here we can take advantage of the virtual environment's ability to take snapshots, either by integration with our backup system, integration with our patching system, or by hand. Snapshots can really cover your assets when it comes to making a mistake, or if a patch has unintended consequences (not that vendors ever make a mistake, right?). If a system fails to come back after a patch or you need time to diagnose an issue, reverting to snapshot while you clone and re-test is much more simple than the old school "revert from a backup? sigh..." or relying on Windows' ability to take reliable system restore points.

Testing patches: with snapshots and a virtual environment (or even a hybrid or cloud environment), you can clone a live system into a testbed relatively easily. Gone are the days of drive imaging and system cloning, or having standby hardware in a test environment just because it's identical to production. Now, you can clone a snapshot of a production system, tweak its network and VM configuration to move it over to your test environment, and install and test patches pretty easily.

Installing and rebooting: while systems are patching and rebooting, virtual environment HA configurations can help plug some of the holes of down systems without dealing with operating system clustering technologies directly. Both can be admittedly cumbersome to set up the first time, but virtual HA can save your bacon and minimize impact to your downstream users.

Don't forget your hypervisor!

When it comes to Hyper-V, patching your hypervisor really is all about patching your OS. Tools like Patch Manager are going to make it easy to stay up to date with Windows patches (AND third party patches, too). With Patch Manager on top of WSUS or SCCM, you can make intelligent groupings of systems, both for status and reporting details and for patching.

For vSphere (ESXi)-based systems, patching your hypervisor is a little more complex, and patches have been coming about monthly. There's actually a handy table of build numbers to patches published in their Knowledgebase that shows the patch history, and VMware has a Patch Portal to help you find and download updates that apply to you, plus see which KB articles patches resolve. I'd recommend showing the "Severity", "Category", and "System Impact" columns to help you understand which patches are most critical (keep a keen eye on security updates) and what the impact will be to running systems.

Patching utilities for host<->guest communication is important, too

Within virtual guest systems, there are usually utilities that establish good host to guest (and vice versa) communication. These tools let you perform clean maintenance tasks like shutdown, reboot, and snapshot; provide time synchronization (very useful if you're doing any log analysis, troubleshooting, or anything certificate-based where time can matter a lot); and provide insight into what's on a guest or host OS.

When it comes to VMware Tools specifically, you won't get the tools "for free" when you bring up a clean guest OS until you install them, though thankfully most modern Linux distributions include open-vm-tools by default (or easily added). For those of you tired of this deployment process on Windows, though, we've got good news! Patch Manager now includes VMware Tools packages in our third party update catalog. With Patch Manager, you can now automatically download and deploy VMware Tools updates just like Windows (and other third party) updates.

For existing Patch Manager customers, you can add the VMware Tools library to your patching catalog by following a few steps:

1. Use the Third Party Updates Configuration Wizard to synchronize available updates from SolarWinds

2. Click "Next" when the Wizard completes to see the full list of available updates from all vendors.

3. Scroll down and make sure "VMware Tools" and "VMware Tools (Upgrade)" are selected from the list of subscriptions.

4. Click next and finish to confirm your package synchronization schedule, then Finish.

5. To see the available packages and versions, go to Administration and Reporting > Software Publishing, then right click and select "Refresh". After doing so, you should see "VMware, Inc" appear in the list, and see the respective packages.

6. From here, you can select to publish the packages to your WSUS/SCCM server (click "Publish Packages" on the right). Select x86 if you've got any 32-bit systems out there, otherwise select x64, then click Next.

7. You'll watch an awesome progress bar for a little bit as it downloads and pushes the packages... then click Next to continue.

8. What do you know, more awesome progress bars as it pushes the packages to the Patch Manager server... (there will be two at first as it pushes the files, then one warning you to be patient as it publishes.). Once it's done, you can hit "finish" to finish the publishing step.

9. If you head back up to your Updates view, you'll see the new packages in the list.

Update Services > <your server> > Updates > Third Party Updates (you might have to right click on "Updates" and click "Refresh" first).

10. From here, you can do your standard Patch Manager tasks, such as Approve the package for distribution and decide which systems should receive the package/update. Click "Approve", then click on each group to approve to and click the "Approved for Install" button (in my example, I approved the update for my Servers group), then click OK. You'll see another fancy progress bar while things finish, then confirm.

What's Next for Patching Virtual Systems?

If you check out the Patch Manager What We're Working On, you'll see specific mention of more features we're looking at adding regarding patching virtual systems - including the automated snapshotting (and potentially reverting) mentioned above.

What big issues do you have with patching virtual systems? What can we do to help?

Since the release of Server & Application Monitor (SAM) 6.2, the team has been busily plugging away on a long list of new features and general product enhancements. Chief among them are improvements to the aesthetics and overall design of the Orion web interface. While not the primary focus of this blog post, it is near impossible to post screenshots for some of what we've been working on without divulging some sneak peeks into the very early stages of this interface design refresh. A follow-up blog post is currently in the works that will go into detail and explain our multi-phased approach for delivering a fresh, clean, and modernized interface for all products that run atop the Orion platform. Suffice it to say, it is our aim to accelerate overall Orion web interface performance, dramatically improve usability for many of the most common tasks, as well as refine and enhance the product's visual appearance as part of this endeavor. Continue watching the Product Blog for more specifics surrounding the Orion UI redesign, as well as opportunities to provide feedback to members of our user experience team regarding these improvements. Your feedback might just earn you some much deserved Thwack points that can be redeemed for some cool SolarWinds SWAG!

With that prologue out of the way, it's time to run through a few notable new features we've been working on that are sure to put a smile on your face. As always, your feedback on features such as these is essential; and the absolute best time to provide that feedback is during betas. So if you're anything like me and would rather try out the new features yourself rather than simply read about them, then short circuit this post entirely and click the big red button below. Otherwise strap in, adorn your reading glasses (if you need them) and soak in the geek goodness below as I walk through some of the new features planned for this release and expose a few glimpses of the web interface redesign.

Active Directory Discovery

One of the many aspects we wanted to focus our attention on improving within this release is how servers are discovered in SAM. Network subnets, IP address ranges, and lists of individual IP addresses might seem like natural options for those of us who come from a network centric background. However, for those possibly unfamiliar with the networks design or IP addressing schema, Active Directory in many instances provides much or all of the information needed about the servers residing on the network.

Active Directory discovery can be added as an additional discovery method to any new or previously existing discovery profile and used in conjunction with the three previously available methods for complete coverage across the environment.

Similar to the other three methods of discovery, multiple Active Directory domains may be used in the discovery profile. This is especially handy for large organizations that may have multiple domains running in their environment due to mergers and acquisitions, separation of internal business units, or even lab vs. production systems. Also, unlike Active Directory authentication to the Orion web console, there is no requirement for the Orion server to be in the same Active Directory domain as the domain controllers used for discovery.

Active Directory has the distinct advantage of allowing for more precise and targeted discovery within the environment. Instead of using a very broad discovery technique such as subnets or IP address ranges, you can more surgically discover only those items you wish to monitor, such as servers and/or workstations. This is particularly useful for organizations using class B "/16" (65,534 IP address) or class A "/8" (16,277,214 ip addresses) subnets, where sequential network scanning techniques may take hours or even days to complete successfully. In environments such as these, much of that IP address space is unused, but it still must be swept to determine which IP addresses are in use and are not part of the discovery process. Active Directory however, has a complete database of all hosts on the network which are members of the domain. Leveraging that database allows for a much more rapid scan of servers and workstations running on the network that could be monitored by SAM.

Once you've added the Active Directory domain you wish to discover and click "Next" you are shown a complete listing of all Containers and Organizational Units (OUs) in the domain hierarchy. By default all OUs and Containers are selected, including any future Organizational Units that may be created after the discovery profile creation process is complete. Selecting the root level domain object toggles between select/deselect all, and the individual checkboxes on the left allow you to select the specific OUs to include or exclude from this discovery profile. The checkbox to the right of each OU listed designates whether to include any sub-OUs that may be created under that Organizational Unit in the future. For example: you have a root level Organizational Unit named "California" because you have only one office in that region today, located in Los Angeles. Later a new office is brought online in San Francisco. As a result you may decide to create two sub-OUs under California named "LA" and "SF" to manage group policy separately for each of those offices. The "Include Future OUs" option allows for these types of changes to occur within an OU, sub-OU, or domain without the need to update SAM's discovery profiles that are used for recurring nightly scheduled rediscovery of new devices in the environment. If not applicable or desirable in your organization, this option can of course be disabled.

Automatic Monitoring

Another primary area we focused on for this release is reducing or outright eliminating the maintenance overhead required to keep SAM up to date as new systems are brought online. Too many of us have been in similar situations where a new critical business system is brought up in the environment, and the first time there's a reported problem or issue with the system there's immediately an exchange of finger pointing that occurs amongst the responsible parties attempting to assign blame for why the system wasn't being monitored. As a result many organizations have implemented rigid policies and processes surrounding the provisioning of new systems in an attempt to mitigate these blind spots on the network. Unfortunately even the best laid plans aren't immune from human fallacy, even those with the best of intentions.

With that in mind we aimed to provide a mechanism that would ensure that as new systems were brought up in the environment that they would be monitored without relying on someone in the organization to manually add them to SAM for monitoring; or dig through the nightly Network Sonar Discovery Results to select which new items should be monitored. If adding individual devices manually is more your speed, or thumbing through the Network Discovery Results is how you enjoy spending your morning "me" time, those options continue to remain intact and unchanged in this release.

When selecting "Automatically Monitor" from the "Monitoring Settings" step of the Network Sonar Discovery Wizard you may continue on by clicking "Next" and accept the recommended defaults (only "Up" interfaces, non-removable media volumes, etc.) or use your own preferences by clicking the "Define Monitoring Settings" button. Clicking this button takes you through a mini-wizard where you are given the ability to define what you'd like automatically monitored should they be found during the Sonar discovery process. These options include, but are not limited to, interface type (trunk, non-trunk) , state (up/down/shutdown/etc.) upon discovery, interface name (contains, does not contain), interface description (contains, does not contain), volume type (Fixed Disk, Mount Points, etc), and AppInsight Applications. Additional steps may appear within the mini-wizard depending upon which Orion modules are also installed alongside SAM.

The next time the Network Sonar Discovery runs, either at the completion of creating the new Discovery Profile or its next scheduled run, any items found meeting the criteria defined within the profile not already monitored in Orion, will be automatically monitored by SAM.

For nodes managed via the optional Agent that was included as part of the SAM 6.2 release, these automatically become managed nodes in Orion by default when they first register with the Orion server or additional polling engine using Agent Initiated mode. Monitoring of these hosts however is limited to status, response time, CPU, and memory, without taking some additional step to select the specific items you'd like monitored on those hosts. The new automatic monitoring option shown here allows you to predefine those items just for agent managed nodes, agentlessly managed nodes, or all nodes in the environment depending upon the settings defined within the discovery profile.

There's still more in store for this release, but we are eager and anxious to get your feedback on some of the features already starting to near completion. Please note that the absolute best time to provide feedback is during the beta, as things are still very fluid and there's plenty of time to fix bugs, make adjustments, and alter the design before release. That's right, betas are intended not only as a mechanism for finding bugs, visual defects, or other things broken in the code, but also to address usability issues and design flaws as well. If you are interested in taking SAM 6.3 for a spin and kicking the tires on some of these (and other) features, simply sign-up here. The only requirement for participation in the beta is that you own an existing license of Server & Application Monitor which is currently under active maintenance.

We've seen time and again that dividing your security attention between the inside and the outside threat (and unfortunately the blend of both - when outsider leverages or becomes an insider) is an ongoing challenge. If you check out our last 1-2 years of Federal IT Security Surveys, you'll see the insider is still a pretty big concern that's far less understood and harder to solve (more on that -Internal Federal Cybersecurity Threats Nearly as Prevalent as External, SolarWinds Survey Reveals), spreading from training to actual technical controls to the challenges of monitoring. In the interest of giving you a bit of a head start, here's some insight into some ways you can monitor for malicious insiders with Log & Event Manager (LEM).

(Note: Anywhere you see a screenshot below, be sure to click to see a full version - they might look fuzzy otherwise.)

Out of the box, LEM includes both built-in File Integrity Monitoring (FIM) - which can audit for file and registry access/changes - and USB-Defender - which monitors USB device access. On systems where you may have potential exposure - think kiosks, systems with access to confidential data, servers, and shared workstations - deploying FIM and USB-Defender will allow you to:

Monitor for unexpected copying of files and data to USB devices that can indicate data is being exfiltrated

Attempts to bypass application installation and access policies by running applications directly from USB devices that can put systems at risk

Changes to system settings and files that can indicate potential unexpected modifications, either due to malware, policy bypassing, or intentional abuse

Out of the box, you'll want to look at the following LEM content:

Default FIM Monitors - the Windows Server template can also be applied to workstations as a place to start

Filters of interest:

Endpoint Monitoring > USB-Defender

Change Management > USB File Auditing, All File Audit Activity

Rules of interest can be found in the categories:

Activity Types > USB Device Monitoring, File Auditing

System and Endpoint Monitoring for Authentication and Change Events

Beyond tracking files and USB Devices, on servers and workstations alike authentication and changes can offer unique insights into what's happening on the network, and provide critical clues when it comes time to investigate. Windows does not audit the mechanism a user used to log on, or changes made to local system accounts, at a domain controller, so without insight into the actual workstations and member servers directly you'll be missing pieces of the puzzle. Deploy agents to all your critical member servers and that same pool of workstations you need insight into and get to tracking the local Event Logs. With this data, you can see:

Users logging on unexpectedly - unused accounts suddenly being used, service accounts being used to access the wrong systems, admin accounts being used incorrectly

Additional users & privileges - users being added to local or domain admins, local users being created

Out of the box, you'll want to look for the following LEM content:

Filters of interest in these categories:

Change Management

Authentication

Endpoint Monitoring

Rules of interest in the following categories:

Change Management

Authentication

Activity Types > Inappropriate Usage

Network Device Traffic Monitoring

If we move off of the systems themselves, we should also be able to detect behavior patterns that look abnormal using network traffic events, too. Sometimes putting agents on all workstations is infeasible, not to mention accounting for transient or new devices, and BYOD if you've got that in the mix as well. Log activity from all the devices you can that can monitor traffic patterns and connectivity - IDS/IPS, firewalls, wireless APs/WLAN controllers, routers, switches, VPNs, etc. With network traffic data, we can look for:

If you've got a proxy or similar policy in place, users attempting to bypass proxy policies with direct communication on port 80 (i.e. network traffic that's not outbound from your proxy server)

Network traffic to/from unexpected hosts or ports - your servers/workstations will generally communicate to a smaller subset of known hosts, traffic outside of this pattern would be unexpected

Traditional Malware and Security Event Detection

You can definitely put your existing investments in pure security technology to work for you here, too. The name of the game is defense in depth, and while traditional malware detection, IDS and IPS, and other tools might not be enough alone, each one of them can play an important part in helping detect potential abuse or piecing together fingerprints during an investigation. Infected endpoints are a gateway to the interior of the network and not all of us are victims of zero-days but rather some kind of combination of existing malware and other techniques that gives us a good chance of detecting it somewhere along the way. With these feeds, you'll see things like:

IDS and IPS systems detecting potentially unwanted payloads or symptoms of infections or even exfiltration

Triggers from any other security systems you've got to put to work for you that generate event streams - wireless security, data leak prevention, etc

System errors and crash reports - potential malware causing leaks to affect the system in unexpected ways

Out of the box, you'll want to look for the following LEM content:

Filters of interest include:

Security > Virus Attacks, IDS

IT Operations > Windows Error Events

Rules of interest in the following categories:

Security > Malware

Devices > IDS and IPS (and related device types for your systems)

Threat Intelligence and Dynamic Feeds to Detect Malicious Traffic

Thinking forward, if you've seen our LEM What We're Working on page, you'll note we're talking a little bit about Threat Intelligence Feeds. We're working on adding the capability for LEM to dynamically download a list of known bad actors - potentially infected hosts, botnets, command and control networks, spammers, and general IPs up to no good - and automatically use that to detect communication on your network. This will be a really good way to see:

When someone internal is communicating with a potentially malicious host, which can indicate they've already been infected

When you're being probed, attacked, or otherwise communicated with externally by a potentially malicious host, which can indicate an incoming attempt

Communication to/from spam, denial of service, or similar hosts that can indicate phishing attempts, zombies on your network, or other security issues

Watch for more on that here - when we've got more to discuss we'll update this post with how to use it to detect malicious insiders more specifically.

Manually, you can create and import lists of potentially unwanted IPs and ports and compare those to traffic as well. If you've got a list of known good ports that should be used to communicate on your network (especially inside>outside), or known applications if you're using Next-Gen firewalls, or known IP addresses when we're talking servers and controlled communication, build User-Defined Groups and rules/filters that compare to them.

What About Other SolarWinds Products? How Can They Help, Too?

Sure! Here are some ideas on using other products to help you detect potential malicious behavior internally:

Network Performance Monitor: monitor for unexpected firewall/network performance issues and high bandwidth utilization that can indicate an outbreak or single host is infected

Netflow Traffic Analyzer: building on the above unknown traffic patterns, look for possible unexpected hosts, ports, or communication patterns that might give you an idea something is wrong

User Device Tracker: useful when tracking and potentially detecting issues at endpoints - the "who" to go with the "where"

Patch Manager: track systems out of compliance with patching policies, out of date systems are MUCH more likely to be victims of malware and other security issues

Feel free to let us know if you've got any content you're interested in seeing around detecting malicious insiders, any ideas or successful stories yourselves, or any other questions we can help with in the comments!

We are happy to announce that version 7.4 of SolarWinds Network Configuration Manager ships the DISA STIG, NIST FISMA, and PCI DSS compliance reports out of the box. Wait -- that's not all! For DISA STIGs, we now support Brocade, Dell, Cisco, Juniper, and Palo Alto. The NIST FISMA and PCI reports have been developed for Cisco.

Simply select any of these new report(s) that you wish to run and “enable” them by following the steps outlined below.

Look for Cisco firmware vulnerabilities.If network security is a concern in your organization, you should definitely use this new capability of NCM -- run a nightly vulnerability assessment based on recent CVE data provided by the National Vulnerability Database -- NVD (by NIST). NCM will download and process the CVE data in a SCAP-compatible way and will notify you of potential vulnerabilities, provide detailed information and let you take an appropriate action. This security scan works even if your NCM server is not connected to the Internet -- you just have to download the datafiles manually.

Cisco IOS and ASA Vulnerability ReportingNCM uses Cisco IOS and ASA firmware and configuration vulnerability data from the National Vulnerability Database to record which nodes in NCM are vulnerable. This information is available in a new Firmware Vulnerability resource and as a report.

NCM Entirely Web-basedThe NCM desktop application is no longer available and all functionality has migrated to the SolarWinds Orion Web Console.